Some Devices May Never Recover From The Heartbleed Bug, Report Says

Comment

By Lisa Eadicicco

The Enterprise, Brockton, MA

By Lisa Eadicicco

Posted Apr. 10, 2014 at 10:03 AM

By Lisa Eadicicco
Posted Apr. 10, 2014 at 10:03 AM

» Social News

While some online services and social networks (i.e. Google and Twitter) have issued updates to address the Heartbleed bug— a severe security flaw impacting a large chunk of the Internet— there are many devices that may never see a fix, according to a new report from MIT Technology review.

The Heartbleed bug affects OpenSSL, a popular data encryption standard used widely across the Internet.

OpenSSL is also used in the software that connects home and office devices to the Internet, and could live on for years in connected home devices and networking hardware because they're not updated very often, MIT Technology Review reports.

These devices can include cable boxes and Internet routers, Philip Lieberman, president of security firm Lieberman Software, said to MIT.

These types of devices often run a basic Web server that allows administrators to access control panels online. Often, these servers are secured with OpenSSL, meaning they'll need to be updated following the Heartbleed bug discovery.

The case is similar for many companies, MIT reports, since enterprise-ready network hardware and business automation systems also rely on OpenSSL. These devices are also rarely updated, according to MIT:

Large-scale scans of Internet addresses have previously uncovered hundreds of thousands of devices, ranging from IT equipment to traffic control systems, that are improperly configured or have not been updated to patch known flaws.

Jonathan Sander, strategy and research officer for STEALTHbits Technologies, made the following analogy in MIT's report, emphasizing how difficult it could be to track down every gadget affected by Heartbleed.

OpenSSL is like a faulty engine part that's been used in every make and model of car, golf cart and scooter.

Although the bug has just been uncovered days ago, it's unclear exactly how long it's been affecting OpenSSL. Mark Shloesser, a security researcher for IT security company Rapid7, told MIT that it may impact anything based on a version of OpenSSL that was created between now and December 2011.

The Heartbleed bug was discovered earlier this week by Google Security's Neel Mehta and a team of engineers at Codenomicon. The issue is particularly harmful because it can trick servers into spitting out huge chunks of data, which means user passwords, credit card numbers, and other types of sensitive information are at risk of being compromised. Users are being advised to change their passwords as a safety precaution.